From 8a49fd3c05d69939f649c2d1a767bca08424f82a Mon Sep 17 00:00:00 2001 From: Erik Faye-Lund Date: Wed, 19 Jan 2011 10:08:24 +0100 Subject: [PATCH] player: fix potential buffer overflow Previously, sync_track_path could either overflow it's 'temp' buffer by one byte, or (even worse) end up not zero-terminating it. Correct the code by explicitly zero-terminating the result of strncpy, and reducing the lenght-parameter to strncat. --- sync/device.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sync/device.c b/sync/device.c index bb853b2..8738835 100644 --- a/sync/device.c +++ b/sync/device.c @@ -11,10 +11,11 @@ static const char *sync_track_path(const char *base, const char *name) { static char temp[FILENAME_MAX]; - strncpy(temp, base, sizeof(temp)); - strncat(temp, "_", sizeof(temp)); - strncat(temp, name, sizeof(temp)); - strncat(temp, ".track", sizeof(temp)); + strncpy(temp, base, sizeof(temp) - 1); + temp[sizeof(temp) - 1] = '\0'; + strncat(temp, "_", sizeof(temp) - 1); + strncat(temp, name, sizeof(temp) - 1); + strncat(temp, ".track", sizeof(temp) - 1); return temp; }